Timeline ActivitiesCache Parser (tac)

Introduction

In the spring of 2018, Microsoft released a Windows 10 update with the capability to show a chronology of actions taken by the user. This new application is called Timeline and is part of Windows Task View. It allows one to go back in time to find the items previously worked on. It has a history from the most recent tasks to a few weeks ago (up to 30 days). Whether going back to a previous Internet search that done some time ago or continuing on with the document that was been read or edited, the functionality is built into the Timeline application to do this.

For the forensic analyst this type of activity collection is very useful. The service is turned on by default and requires one to explicitly disable the functionality if the user does not wish to have their actions recorded. If the activity history is enabled, it may include such details as: which file was viewed and/or edited, website visited, the times all this occurred, etc.

The database storing the user's activity is the ActivitiesCache.db. Each user account has its own database, and it can be found in this location: C:\Users\<useracct>\AppData\Local\ConnectedDevicesPlatform\L.<useracct>\ActivitiesCache.db.

Below is the menu with the various options available:

menu of options

When looking at the parse results of tac, one can see the application run, when it was run and how long it was running. The expiration time is something that allows the timeline to only keep those items on the list that are within a set amount of time to keep the timeline of items manageable. There are many other fields that are used in the database that is not shown below; many of them still need to be studied to determine what they are and if they are of forensic value.

Sample subset output

There is an experimental option in tac to try to recover records that are located in discarded, unused or slack space. The tool tries to do this on a best effort basis and is invoked with the -incl_slack option. Surprisingly the number of recovered records can be significant in some cases. More information about how this is done is discussed in the user's guide.


For more information

The user's guide can be viewed here

If you would like more information about tac, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:tac32.v.0.15.win.ziptac64.v.0.15.win.zipmd5/sha1
Linux:tac32.v.0.15.lin.tar.gztac64.v.0.15.lin.tar.gzmd5/sha1
Mac OS X:tac.v.0.15.osx.tar.gztac.v.0.15.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.